Business associates were largely to blame for 2020 breaches

A new report shows that almost three-quarters of the number of breaches reported to HHS in the last six months of 2020 were tied to third-party business associates.
By Kat Jercich
01:47 PM

A report released Wednesday from CI Security found that cybercriminals have continued to take advantage of the fallout from COVID-19.

The report, which analyzed U.S. Department of Health and Human Services breach reports last year, found that the number of healthcare data breaches increased 36% in the second half of 2020, compared to the first half.  

According to analysts, 21.3 million healthcare records were breached in the second half of 2020 alone – with nearly three-quarters of all breaches tied to third parties.

"We must redouble our efforts to make sure our business associates are secure operators. That means we not only have to make sure our own networks and applications are secure, but we have to make sure all our partners have strong cyber hygiene," said Drex DeFord, executive healthcare strategist at CI Security, in an email to Healthcare IT News

"Turns out that a risk accepted by anyone in our business/clinical/research ecosystem is a risk imposed on everyone else in that ecosystem," said DeFord, who contributed to the report. 


The report found that COVID-19's disruptive effect on the industry – including employee churn, rapid scale-ups of telemedicine, testing and vaccine rollout technology, fast-tracked vendors, and more generalized attacks – have made healthcare organizations vulnerable to cybercrime.

"The COVID-19 virus has been unrelenting, and so too are the cybercriminals who have taken advantage of the pandemic to breach healthcare organizations and gain unauthorized access to valuable patient data," read the report.

Analysts found that the total number of patient records accessed by bad actors nearly tripled in the back half of 2020 when compared to the first six months of the year. Of the millions of records breached, 97% were attributed to malicious hacking incidents rather than other causes. 

Criminals have "evolved," observed the analysts, to "attack the soft underbelly of healthcare networks – third-party business associates who provide services such as billing or insurance reimbursement."

A single breach to a business associate can drive multiple reports to HHS, analysts observed. 

The report advises healthcare organizations to review every contract, make security a procurement priority, pay special attention to telehealth, protect work-from-home environments, take advantage of cloud providers, deploy identity and access management software, revisit security basics, and holistically evolve security programs.

"There is no magic pill that will cure healthcare security pains. Instead, effective protection against breaches requires a multitude of actions," read the report.


The impacts of 2020's healthcare breaches are still being felt.

Just this week, an NBC News report found that tens of thousands of patient records had been posted to the dark web following at least one cybercriminal attack in November.

The landscape is unlikely to improve. Last year, security experts predicted that the COVID-19 vaccine rollout would probably present major challenges in 2021, along with telehealth.


"The pandemic distraction of the first half of the year offered opportunity for cybercriminals to breach healthcare organizations and business associates, with many not realizing the problem until the second half of the year," noted DeFord. 

"Taken altogether, the result was a huge increase in the number of reports and the number of records exposed during the second half of the year," he said.  

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.